Express Burn Plus v4.58 EBP Project File Handling Buffer Overflow PoC

Title: Express Burn Plus v4.58 EBP Project File Handling Buffer Overflow PoC
Advisory ID: ZSL-2012-5103
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 28.08.2012
Summary
Express Burn is a program that allows you to create and copy many kinds of disc media, including Audio (audio CDs / .mp3 CDs), Video (DVDs), and Data (CDs / DVDs / Blu-ray).
Description
The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a unicode buffer overflow when a user opens e.g. a specially crafted .EBP file. Successful exploitation could allow execution of arbitrary code on the affected machine.

--------------------------------------------------------------------------------

(13d4.a84): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=050a8c70 ebx=004034fc ecx=00000041 edx=fc4d5390 esi=0157cf68 edi=001297fe
eip=004678ef esp=00126420 ebp=001274c0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x678ef:
004678ef 66890c02 mov word ptr [edx+eax],cx ds:0023:0157e000=????
0:000> d eax
050a8c70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8c80 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8c90 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8ca0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8cb0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8cc0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8cd0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8ce0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0:000> d esi
0157cf68 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cf78 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cf88 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cf98 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfa8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfb8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfc8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfd8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.

--------------------------------------------------------------------------------

Vendor
NCH Software - http://www.nchsoftware.com
Affected Version
4.58
Tested On
Microsoft Windows 7 Ultimate SP1 EN
Vendor Status
N/A
PoC
eburn_bof.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://cxsecurity.com/issue/WLB-2012080256
[2] http://packetstormsecurity.org/files/115947
[3] http://secunia.com/advisories/50439/
[4] http://www.exploit-db.com/exploits/20870/
[5] http://www.securityfocus.com/bid/55242
[6] http://xforce.iss.net/xforce/xfdb/78056
[7] http://www.osvdb.org/show/osvdb/84966
[8] http://www.vfocus.net/art/20120828/10330.html
Changelog
[28.08.2012] - Initial release
[29.08.2012] - Added reference [6]
[31.08.2012] - Added reference [7]
[17.09.2012] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk